Commit c9bd97cb authored by Natanael Copa's avatar Natanael Copa

main/xen: security fixes

XSA-204		CVE-2016-10013	x86: Mishandling of SYSCALL singlestep during emulation
XSA-203		CVE-2016-10025	x86: missing NULL pointer check in VMFUNC emulation
XSA-202		CVE-2016-10024	x86 PV guests may be able to mask interrupts

fixes #6570
parent 35c38520
......@@ -3,7 +3,7 @@
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
pkgver=4.7.1
pkgrel=3
pkgrel=4
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86_64 armhf"
......@@ -43,6 +43,10 @@ makedepends="$depends_dev autoconf automake libtool "
# - CVE-2016-9816 XSA-201
# - CVE-2016-9817 XSA-201
# - CVE-2016-9818 XSA-201
# 4.7.1-r4:
# - CVE-2016-10024 XSA-202
# - CVE-2016-10025 XSA-203
# - CVE-2016-10013 XSA-204
case "$CARCH" in
x86*)
......@@ -101,6 +105,9 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
xsa201-2.patch
xsa201-3-4.7.patch
xsa201-4.patch
xsa202.patch
xsa203-4.7.patch
xsa204-4.7.patch
qemu-coroutine-gthread.patch
qemu-xen_paths.patch
......@@ -347,6 +354,9 @@ e8d3ee1e904071920a6afbbf6a27aad2 xsa198.patch
76394482eaf0caeb3e0611ba70e8923c xsa201-2.patch
136b9ad8b2bcc57d5a7ed3bf13bebe3c xsa201-3-4.7.patch
9cb1516d783fc9c765e9a37574bb3cbd xsa201-4.patch
c519ccfe62d245419ade09de5e8fe4fd xsa202.patch
da401ec1a25668a2dabc666f6687409b xsa203-4.7.patch
dc4ad05682ce371e1755817b22229601 xsa204-4.7.patch
de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch
08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch
e449bb3359b490804ffc7b0ae08d62a0 hotplug-vif-vtrill.patch
......@@ -407,6 +417,9 @@ d7113b94f6ef1c2849aedfe33eace85b0713fa83639c8a533fb289aa73e818e8 xsa200-4.7.pat
0ba570ed7df172475bc745e02b89670608251634895e5279edcf534619d6d81b xsa201-2.patch
a9cf56564d020675c0f2f1ea15009a712f172be3d53ea8ddf2f48adaac392e76 xsa201-3-4.7.patch
388d548cd4e30883ae100863d33e792869e7dbd86054299a91b64db6d6599919 xsa201-4.patch
057be742acfef200ba6f094a5dce486dd1c4e15013afe3efc963523ce2ec9cbb xsa202.patch
7cc04278778fe885e4c3ae3f846d099075a38bccfafe6dff018ba525499b4e46 xsa203-4.7.patch
d0359f26e9be783672896200e14d85a3111c29d7da580313b593fca04688fef2 xsa204-4.7.patch
3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch
e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch
dd1e784bc455eb62cb85b3fa24bfc34f575ceaab9597ef6a2f1ee7ff7b3cae0a hotplug-vif-vtrill.patch
......@@ -467,6 +480,9 @@ b61429fbf4d1677a8dab2710ab21335f18b3f998f2e5e19e45a4727f71b9671b3d1bd709bef3594c
afed1ed3c5b4dd3a1d2c1c0fe824cdeb58efdc40fdaf5ce439deb2feef63141168114ea362fc5c683eb0494bb6bd3c76773b099495af21550ae3a1e5cb4e924d xsa201-2.patch
ad0f4217ef8218dac6997385690981e7a88d05b735e04779f582ad4a0307d8e7804c015971403133fe1d3334c628da784c696161768b275ed3ab64d6140293dc xsa201-3-4.7.patch
1761ca422fe9e3caee3442b43b84da49721a01ed8417f653c568695b08718c40be1493cc7a0a6145c7ce195c7fb0c753b190fe2f1782d5242e1e304c18005610 xsa201-4.patch
8f96ec62d9a159370d6c6257d45b7b9e87247ac1ca891033b8f3c9fb86f74d539b9c6d893d31289c6a0f00b967672f76ee9e6875a64d739dcda783ff2911681b xsa202.patch
b86ef48db23dacb51fbbdd55041bf08fac8aa0db76a272bb2f9d9be7195cd9a359a30fbbb61e040c66f23358f12ae102a92a30296fb18e4feb1023b58ffad4ff xsa203-4.7.patch
a2a091cd51ed54f5b5ba4131efc1c9cc0a69a647cea46415f73c29e5764efb00025e2e65bd5d24cf26f903263fce150b2b1c52ca5d61fd81dea7efe16abf57be xsa204-4.7.patch
c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch
1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch
f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3 hotplug-vif-vtrill.patch
......
From: Jan Beulich <jbeulich@suse.com>
Subject: x86: force EFLAGS.IF on when exiting to PV guests
Guest kernels modifying instructions in the process of being emulated
for another of their vCPU-s may effect EFLAGS.IF to be cleared upon
next exiting to guest context, by converting the being emulated
instruction to CLI (at the right point in time). Prevent any such bad
effects by always forcing EFLAGS.IF on. And to cover hypothetical other
similar issues, also force EFLAGS.{IOPL,NT,VM} to zero.
This is XSA-202.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
--- a/xen/arch/x86/x86_64/compat/entry.S
+++ b/xen/arch/x86/x86_64/compat/entry.S
@@ -109,6 +109,8 @@ compat_process_trap:
/* %rbx: struct vcpu, interrupts disabled */
ENTRY(compat_restore_all_guest)
ASSERT_INTERRUPTS_DISABLED
+ mov $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11d
+ and UREGS_eflags(%rsp),%r11d
.Lcr4_orig:
.skip .Lcr4_alt_end - .Lcr4_alt, 0x90
.Lcr4_orig_end:
@@ -144,6 +146,8 @@ ENTRY(compat_restore_all_guest)
(.Lcr4_orig_end - .Lcr4_orig), \
(.Lcr4_alt_end - .Lcr4_alt)
.popsection
+ or $X86_EFLAGS_IF,%r11
+ mov %r11d,UREGS_eflags(%rsp)
RESTORE_ALL adj=8 compat=1
.Lft0: iretq
_ASM_PRE_EXTABLE(.Lft0, handle_exception)
--- a/xen/arch/x86/x86_64/entry.S
+++ b/xen/arch/x86/x86_64/entry.S
@@ -40,28 +40,29 @@ restore_all_guest:
testw $TRAP_syscall,4(%rsp)
jz iret_exit_to_guest
+ movq 24(%rsp),%r11 # RFLAGS
+ andq $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11
+ orq $X86_EFLAGS_IF,%r11
+
/* Don't use SYSRET path if the return address is not canonical. */
movq 8(%rsp),%rcx
sarq $47,%rcx
incl %ecx
cmpl $1,%ecx
- ja .Lforce_iret
+ movq 8(%rsp),%rcx # RIP
+ ja iret_exit_to_guest
cmpw $FLAT_USER_CS32,16(%rsp)# CS
- movq 8(%rsp),%rcx # RIP
- movq 24(%rsp),%r11 # RFLAGS
movq 32(%rsp),%rsp # RSP
je 1f
sysretq
1: sysretl
-.Lforce_iret:
- /* Mimic SYSRET behavior. */
- movq 8(%rsp),%rcx # RIP
- movq 24(%rsp),%r11 # RFLAGS
ALIGN
/* No special register assumptions. */
iret_exit_to_guest:
+ andl $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),24(%rsp)
+ orl $X86_EFLAGS_IF,24(%rsp)
addq $8,%rsp
.Lft0: iretq
_ASM_PRE_EXTABLE(.Lft0, handle_exception)
From: Jan Beulich <jbeulich@suse.com>
Subject: x86/HVM: add missing NULL check before using VMFUNC hook
This is XSA-203.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/hvm/emulate.c
+++ b/xen/arch/x86/hvm/emulate.c
@@ -1643,6 +1643,8 @@ static int hvmemul_vmfunc(
{
int rc;
+ if ( !hvm_funcs.altp2m_vcpu_emulate_vmfunc )
+ return X86EMUL_UNHANDLEABLE;
rc = hvm_funcs.altp2m_vcpu_emulate_vmfunc(ctxt->regs);
if ( rc != X86EMUL_OKAY )
hvmemul_inject_hw_exception(TRAP_invalid_op, 0, ctxt);
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Sun, 18 Dec 2016 15:42:59 +0000
Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL
A singlestep #DB is determined by the resulting eflags value from the
execution of SYSCALL, not the original eflags value.
By using the original eflags value, we negate the guest kernels attempt to
protect itself from a privilege escalation by masking TF.
Introduce a tf boolean and have the SYSCALL emulation recalculate it
after the instruction is complete.
This is XSA-204
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
index bca7045..abe442e 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -1582,6 +1582,7 @@ x86_emulate(
union vex vex = {};
unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
bool_t lock_prefix = 0;
+ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
int override_seg = -1, rc = X86EMUL_OKAY;
struct operand src = { .reg = REG_POISON };
struct operand dst = { .reg = REG_POISON };
@@ -3910,9 +3911,8 @@ x86_emulate(
}
no_writeback:
- /* Inject #DB if single-step tracing was enabled at instruction start. */
- if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
- (ops->inject_hw_exception != NULL) )
+ /* Should a singlestep #DB be raised? */
+ if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
/* Commit shadow register state. */
@@ -4143,6 +4143,23 @@ x86_emulate(
(rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
goto done;
+ /*
+ * SYSCALL (unlike most instructions) evaluates its singlestep action
+ * based on the resulting EFLG_TF, not the starting EFLG_TF.
+ *
+ * As the #DB is raised after the CPL change and before the OS can
+ * switch stack, it is a large risk for privilege escalation.
+ *
+ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
+ * vulnerability. Running the #DB handler on an IST stack is also a
+ * mitigation.
+ *
+ * 32bit kernels have no ability to mask EFLG_TF at all. Their only
+ * mitigation is to use a task gate for handling #DB (or to not use
+ * enable EFER.SCE to start with).
+ */
+ tf = !!(_regs.eflags & EFLG_TF);
+
break;
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment